https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281592#M758473 <HTML><HEAD></HEAD><BODY><P>Hi sakishor,</P><P></P><P>Cureently the firewall are running on the lan based cable failover, there is no failover key set for the same. now i have set the same without any downtime...</P><P></P><P>thanks in advance.</P></BODY></HTML> Wed, 07 Oct 2009 03:37:43 GMT CSCO10905906 2009-10-07T03:37:43Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281582#M758211 <P>Hi,</P><P>Recently a audit point was raised by auditor, that the failover key is not enabled for the failover(PIX 515).</P><P>Please let me know how to enable the failover key between the PIX firewall without any downtime.</P> Mon, 11 Mar 2019 16:23:10 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281582#M758211 CSCO10905906 2019-03-11T16:23:10Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281583#M758219 <HTML><HEAD></HEAD><BODY><P>Failover is a licensed feature - you probably have a restricted license. If you want to have fail over functionality - you need to purchase it.</P><P></P><P>However is sounds like you are not using fail over anyway - and the auditor is just pointing it out. </P><P></P><P>If you need it - you need to buy it and another PIX device to failover to.</P><P></P><P>HTH&gt;</P></BODY></HTML> Tue, 06 Oct 2009 07:59:15 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281583#M758219 andrew.prince 2009-10-06T07:59:15Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281584#M758241 <HTML><HEAD></HEAD><BODY><P></P><P>hi andrew,</P><P></P><P>The pix firewalls are already running on active-standby mode, but there is no failover key configured on the same.now the point is to set the failover key on the firewalls without any downtime.</P><P></P><P>thanks in advance.</P><P></P><P></P></BODY></HTML> Tue, 06 Oct 2009 08:43:35 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281584#M758241 CSCO10905906 2009-10-06T08:43:35Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281585#M758274 <HTML><HEAD></HEAD><BODY><P>Ahh sorry - are you saying that you are missing the failover shared secret key ??</P><P></P><P>Are the 2 devices in config sync?</P></BODY></HTML> Tue, 06 Oct 2009 08:52:22 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281585#M758274 andrew.prince 2009-10-06T08:52:22Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281586#M758304 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>the firewalls are in sync and working fine in active-standby mode. the objective is to set the failover key for closure of the audit point without any downtime.</P></BODY></HTML> Tue, 06 Oct 2009 08:59:52 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281586#M758304 CSCO10905906 2009-10-06T08:59:52Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281587#M758339 <HTML><HEAD></HEAD><BODY><P>Well - if you configure the primary active firewall with the failover key, it will be replicated to the secondary and should not cause any interuption.</P><P></P><P>Just to be sure - perhaps configure it out of hours, just to be sure.</P></BODY></HTML> Tue, 06 Oct 2009 09:06:49 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281587#M758339 andrew.prince 2009-10-06T09:06:49Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281588#M758369 <HTML><HEAD></HEAD><BODY><P>Export Certificate/Private Key in Failover Configuration</P><P></P><P>The primary device automatically replicates the private key/certificate to the secondary unit. Issue the command write memory in the active unit in order to replicate the configuration (which includes the certificate/private key) to the standby unit. All the keys/certificates on the standby unit are erased and repopulated by the active unit configuration.</P><P></P><P>Note: You must not manually import the certificates, keys, and trust points from the active device and then export to the standby device.</P><P>WARNING: Failover message decryption failure.</P><P></P><P>Error message:</P><P></P><P> Failover message decryption failure. Please make sure both units have the </P><P> same failover shared key and crypto license or system is not out of memory</P><P></P><P>This problem occurs due to failover key configuration. In order to resolve this issue, remove the failover key, and configure the new shared key.</P></BODY></HTML> Tue, 06 Oct 2009 09:07:48 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281588#M758369 andrew.prince 2009-10-06T09:07:48Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281589#M758393 <HTML><HEAD></HEAD><BODY><P>well from what i have seen, unlike an ASA which uses just 1 licence for both pri and failover device, a pix uses 2 types of licence, a unrestricted and a failover one. </P><P> if the you enter the standby activation key in the primary device, why would the primary reflect this on the standby device, the activation key is one part which is not replicated, and the reason for this being that activation is NOT a part of the configs set.</P><P></P><P>Could you please clarify as i am still new into the world of networks and this is just something i have observed.</P></BODY></HTML> Tue, 06 Oct 2009 10:47:53 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281589#M758393 uzair syed naveed 2009-10-06T10:47:53Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281590#M758414 <HTML><HEAD></HEAD><BODY><P>This post is actually refering to failover config - not licensing, my fault as that is what I first thought this was about.</P><P></P><P>I agree with some of what you say, however you can have a device with a restricted license - BUT contains failover functinonality.</P><P></P><P>You should not be able to put an unrestrcited feature activation key into an restricted device.</P><P></P><P>Do you have a specific issue that I or the Netpro forum can help with?</P></BODY></HTML> Tue, 06 Oct 2009 11:35:46 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281590#M758414 andrew.prince 2009-10-06T11:35:46Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281591#M758441 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you are using a cable based failover you dont really need to configure a failover key on the security appliance. </P><P></P><P>failover key is only to encrypt all the communication between the failover devices. If failover key is not specified the communication between the failover devices happen in a clear text. </P><P></P><P>On the PIX security appliance platform, if you are using the dedicated serial failover cable to connect the units, then communication over the failover link is not encrypted even if a failover key is configured. The failover key only encrypts LAN-based failover communication. </P><P></P><P>For more information you can refer to the following link</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927595" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927595</A></P><P></P><P>Do let me know if you have any further questions.</P><P></P><P>Thanks,</P></BODY></HTML> Tue, 06 Oct 2009 23:56:32 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281591#M758441 Saurabh Kishore 2009-10-06T23:56:32Z https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281592#M758473 <HTML><HEAD></HEAD><BODY><P>Hi sakishor,</P><P></P><P>Cureently the firewall are running on the lan based cable failover, there is no failover key set for the same. now i have set the same without any downtime...</P><P></P><P>thanks in advance.</P></BODY></HTML> Wed, 07 Oct 2009 03:37:43 GMT https://community.cisco.com/t5/network-security/failover-key-in-pix/m-p/1281592#M758473 CSCO10905906 2009-10-07T03:37:43Z